Waiting Game

Waiting Game

Cybersecurity officials warn that the worst of Log4Shell exploits are yet to come.

Federal cybersecurity officials say there have been few successful exploits of a critical vulnerability in a widely used logging utility for Java-based software. It may only be a matter of time, however. They say the zero-day vulnerability in Apache Log4j will almost certainly represent a significant risk for years to come.

In a January briefing, Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly told reporters that “sophisticated adversaries” have likely already used the Log4Shell vulnerability to create backdoor access to targets around the globe. Now, these malicious actors are likely “just waiting to leverage their new access until network defenders are on a lower alert.”

CISA officials say that although they have no confirmed reports of significant intrusions involving Log4Shell, there are widespread instances of malicious actors scanning systems for the vulnerability. Thus far, successful exploits have primarily involved installing cryptomining software or capturing computers for use in botnets.

“This is just the tip of the iceberg,” said Forrester Analyst Allie Mellen. “You can be sure attackers are building more complex attack chains to exploit this vulnerability further.”

A Ubiquitous Threat

It is the potential for widespread chaos that disturbs analysts and law enforcement officials. The Log4j utility is embedded in so many different applications and devices that some fear it will be next to impossible to find and fix every instance.

The Log4j utility is used by Java-based apps to maintain records of activities, including errors and system warnings. Because developers commonly build new software atop existing tools, the Log4j code has been propagated throughout the software stack for years. It now exists in countless mobile, web and enterprise applications running on desktops, servers, mobile phones, web browsers and televisions. More than 90 percent of enterprise cloud environments are vulnerable to Log4Shell, according to recent analysis from Wiz and Ernst & Young.

“This vulnerability is so dangerous because of its massive scale,” said Mellen. “Millions of applications use Log4j. Applications on the Internet are a complex system of interconnectedness, which makes it difficult to know what applications might be affected. Even if your software doesn’t use Log4j directly, you may use someone else’s software that does and not know it.”

The flaw enables hackers to trick Log4j into storing malicious code in log entries. It can be as simple as typing the bad code into the public chat box of an online video game or changing the device name of a smartphone to an exploit string. Once the code is embedded, a hacker can use the compromised device to launch a variety of attacks.

Mitigating Risk

The vulnerability affects version 2.0 through version 2.14.1 of Apache Log4j. The Cybersecurity and Infrastructure Security Agency (CISA) says organizations using Java 8 or later should upgrade to Log4j version 2.17 or newer, and those using Java 7 should upgrade to version 2.12.3. However, the CISA also notes that Java 7 is currently end of life and advises organizations to upgrade to Java 8.

“This vulnerability will be used for months if not years to attack enterprises, which is why security teams must strike while the iron is hot,” said Mellen. “Patch any homegrown software that uses Log4j and coordinate with all vendors to make sure they aren’t affected or that they get patched in a timely manner.”

In addition, CISA recommends that all organizations take these actions to minimize the risk of Log4Shell exploitation:

  • Evaluate all software assets in identified solution stacks against the CISA-managed GitHub repository to determine whether Log4j is present in those assets
  • Use scanning tools to discover all Internet-facing assets that allow data inputs and use the Log4j Java library anywhere in the stack.
  • Apply available patches immediately. Prioritize patching, starting with mission-critical systems, Internet-facing systems and networked servers.
  • Deploy a web application firewall to detect and block any Log4Shell exploits.

Even with these precautions, organizations should assume they’ve been compromised. They should continuously monitor systems for unusual traffic patterns and indicators of compromise. Because hackers can exploit the vulnerability in a variety of ways, traditional security tools that rely on signature-based detection will likely be unable to identify attacks. Organizations should implement a layered security approach with advanced detection capabilities.


Just released our free eBook, 20 Signs That Your Business is Ready for Managed ServicesDownload
+